Last month, the U.S. Office of the Under Secretary of Defense for Acquisition and Sustainment released draft version 0.6 of the Cybersecurity Maturity Model Certification (CMMC) standards document.
This release includes some reductions in the total number of requirements and provides additional clarity on the standards for Level 1 compliance. For those small businesses either just getting started, or currently holding contracts that are not expected to include controlled unclassified information (CUI), CMMC Level 1 may be all you need. As I’ve noted before, the earlier that people, processes and technologies can be adapted to meet this compliance requirement, the smoother this transition will be. An added bonus is if you already meet this level of compliance, you may be able to schedule and executed your assessment before the mad rush in the summer of 2020.
Level 1 Requirements Based on Federal Acquisition Regulations
OUSDA&S has been consistent in asserting that level 1 will be attainable without breaking the bank. They’ve identified 15 requirements and procedures to meet this compliance standard. These 15 are extracted nearly verbatim from 48 CFR § 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems.
Fortunately for many, this contract clause is well-known and you’ve likely been operating under its requirements already. The 15 requirements and procedures are:
- Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
- Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
- Verify and control/limit connections to and use of external information systems.
- Control information posted or processed on publicly accessible information systems.
- Identify information system users, processes acting on behalf of users, or devices.
- Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
- Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
- Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
- Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- Identify, report, and correct information and information system flaws in a timely manner.
- Provide protection from malicious code at appropriate locations within organizational information systems.
- Update malicious code protection mechanisms when new releases are available.
- Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Federal Contract Information
In the v0.6 draft, protection of federal contract information (FCI) was noted as one of the driving factors requiring all DoD contractors to meet some level of compliance. Federal contract information is not a category of controlled unclassified information, at least it is not listed in the CUI Registry. However, the specific details of contract information may be restricted from public disclosure for various reasons. FCI is, in fact, called out in 48 CFR § 52.204-21 so this remains consistent between the Federal Acquisition Regulation and the CMMC.
Many Questions Remain Unanswered
This latest draft does help to clarify the requirements and procedures necessary to meet the CMMC standards and successfully undergo an assessment. There remain, however, some fundamental questions such as how long a certification is good for, how much assessments will cost and when they can be scheduled. Also, this draft v0.6 purposely left out further explanation on the levels 4-5, indicating these will be further refined prior to the next draft release.
The Time to Prepare is Now
As I’ve noted quite a few times, the longer we wait to achieve operational cybersecurity compliance with these standards, the more difficult and resource intensive the process will be. Consider that by the time your assessment is at hand, you not only want the controls, policies and procedures in place, but also for your organization to have had time to incorporate them into daily activities.